ransomware

Ransomware attack hits major US data center provider

CyrusOne, one of the biggest data center providers in the US, has suffered a ransomware attack, COD.e has learned.

CyrusOne is currently working with law enforcement and forensics firms to investigate the attack and is also helping customers restore lost data from backups.

The incident took place yesterday and was caused by a version of the REvil (Sodinokibi) ransomware.

This is the same ransomware family that hit several managed service providers in June, over 20 Texas local governments in early August, and 400+ US dentist offices in late August.

According to a copy of the ransom note obtained by ZDNet, this was a targeted attack against the company’s network. The point of entry is currently unknown.

the malware in a nutshell…

The REvil (also known as Sodinokibi) ransomware was first identified on April 17, 2019. It is used by the financially motivated GOLD SOUTHFIELD threat group, which distributes ransomware via exploit kits, scan-and-exploit techniques, RDP servers, and backdoored software installers. Secureworks® Counter Threat Unit™ (CTU) analysis suggests that REvil is likely associated with the GandCrab ransomware due to similar code and the emergence of REvil as GandCrab activity declined. CTU™ researchers attribute GandCrab to the GOLD GARDEN threat group.

REvil can perform the following tasks. Most of these capabilities are configurable, which allows an attacker to fine-tune the payload.

  • Exploit the CVE-2018-8453 vulnerability to elevate privileges
  • Terminate blacklisted processes prior to encryption to eliminate resource conflicts
  • Wipe the contents of blacklisted folders
  • Encrypt non-whitelisted files and folders on local storage devices and network shares
  • Exfiltrate basic host information